Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Revision D
COPYRIGHT
Copyright 2014 McAfee, Inc. Do not copy without permission.
TRADEMARK ATTRIBUTIONS
McAfee, the McAfee logo, McAfee Active Protection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, Foundscore, Foundstone, Policy
Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee Total Protection, TrustedSource,
VirusScan, WaveSecure are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other
names and brands may be claimed as the property of others.
Product and feature names and descriptions are subject to change without notice. Please visit mcafee.com for the most current products and features.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS
FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU
HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR
SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A
FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET
FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF
PURCHASE FOR A FULL REFUND.
Installation Guide
Contents
Preface
7
7
7
8
11
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
General settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Other third-party applications . . . . . . . . . . . . . . . . . . . . . . . . . .
Server requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Manager installation with local service account privileges . . . . . . . . . . . . . . .
Client requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Java runtime engine requirements . . . . . . . . . . . . . . . . . . . . . . . .
Database requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Recommended Manager specifications . . . . . . . . . . . . . . . . . . . . . . . . .
Determine your database requirements . . . . . . . . . . . . . . . . . . . . . .
Pre-installation recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . .
How to plan for installation . . . . . . . . . . . . . . . . . . . . . . . . . . .
Functional requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . .
How to use anti-virus software with the Manager . . . . . . . . . . . . . . . . . .
User interface responsiveness . . . . . . . . . . . . . . . . . . . . . . . . .
Download the Manager/Central Manager executable . . . . . . . . . . . . . . . . . . . .
11
11
12
12
13
14
15
16
16
16
17
17
18
20
21
21
23
43
44
44
44
45
45
46
46
47
47
48
48
48
49
Installation Guide
Contents
Adding a Sensor
51
65
51
51
52
52
53
53
54
54
54
55
56
56
56
57
57
57
58
61
61
62
62
63
63
65
66
73
73
74
81
82
83
88
90
92
93
95
103
105
105
106
Installation Guide
Contents
Index
107
Installation Guide
Contents
Installation Guide
Preface
This guide provides the information you need to install your McAfee product.
Contents
About this guide
Find product documentation
Audience
McAfee documentation is carefully researched and written for the target audience.
The information in this guide is intended primarily for:
Administrators People who implement and enforce the company's security program.
Users People who use the computer where the software is running and can access some or all of
its features.
Conventions
This guide uses these typographical conventions and icons.
Book title, term,
emphasis
Bold
Commands and other text that the user types; a code sample; a displayed
message.
Interface text
Words from the product interface like options, menus, buttons, and dialog
boxes.
Hypertext blue
Installation Guide
Preface
Find product documentation
Do this...
User documentation
KnowledgeBase
Installation Guide
Installation Guide
10
Installation Guide
This section describes the McAfee Network Security Manager (Manager) hardware and software
requirements and pre-installation tasks you should perform prior to installing the software.
In this section, unless explicitly stated, Central Manager and Manager are commonly referred to as
"Manager."
Contents
Prerequisites
Recommended Manager specifications
Pre-installation recommendations
Download the Manager/Central Manager executable
Prerequisites
The following sections list the Manager installation and functionality requirements for your operating
system, database, and browser.
We strongly recommend that you also review Network Security Platform 7.5.3 Release Notes.
If you are installing the Manager as part of an upgrade to the latest version of Network Security
Platform, also refer to Network Security Platform 7.5 Upgrade Guide.
General settings
McAfee recommends you use a dedicated server, hardened for security, and placed on its own
subnet. This server should not be used for programs like instant messaging or other non-secure
Internet functions.
You must have Administrator/root privileges on your Windows server to properly install the Manager
software, as well as the installation of an embedded MySQL database for Windows Managers during
Manager installation.
Installation Guide
11
It is essential that you synchronize the time on the Manager server with the current time. To keep
time from drifting, use a timeserver. If the time is changed on the Manager server, the Manager will
lose connectivity with all McAfee Network Security Sensors (Sensors) and the McAfee Network
Security Update Server [formerly IPS Update Server] because SSL is time sensitive.
If Manager Disaster Recovery (MDR) is configured, ensure that the time difference between the
Primary and Secondary Managers is less than 60 seconds. (If the spread between the two exceeds
more than two minutes, communication with the Sensors will be lost.)
For more information about setting up a time server on Windows Servers, see the following
Microsoft KnowledgeBase article: http://support.microsoft.com/kb/816042/.
Once you have set your server time and installed the Manager, do not change the time on the
Manager server for any reason. Changing the time may result in errors that could lead to loss of
data.
Server requirements
The following table lists the 8.0 Manager server requirements:
Operating
system
Minimum required
Recommended
12
Memory
8GB
8GB or more
CPU
Same
Disk space
100GB
300GB or more
Network
100Mbps card
1000Mbps card
Monitor
Installation Guide
Minimum
Virtualization software VMware ESX Server version 4.0 update 1 and version 4.1
ESXi 5.0
ESXi 5.1
CPU
Memory
Internal Disks
1 TB
Minimum
Recommended
Same as minimum
required.
Memory
8GB
8GB or more
Virtual CPUs
2 or more
Disk Space
100GB
300GB or more
The Local Service account has fewer privileges on accessing directories and resources than the Local
System. By default, the Manager installation directory and database directory are granted full
permission to the Local Service account during installation or upgrade of Manager.
Installation Guide
13
Backup directory location: If the backup directory was different from the Manager installed
directory before upgrade to the current release, full permission on these directories for a Local
Service should be granted.
Notification script execution: If a user uses a script that accesses directories or resources located in
directories other than in Manager installed directories for notifications like alerts, faults etc.,full
permission on these directories for a Local Service should be granted.
Database configuration: If a user has a MySQL database configured for using a directory for
temporary files other than the one provided during installation, then those directories should be
given full permissions for a Local Service.
Client requirements
The following are the system requirements for client systems connecting to the Manager application.
Minimum
Operating
system
Recommended
RAM
2 GB
4 GB
CPU
Browser
Internet Explorer 9 or 10
Internet Explorer 10
Mozilla Firefox
Google Chrome
For the Manager client, in addition to Windows 7 and Windows 8, you can also use the operating
systems mentioned for the Manager server.
If you are using Google Chrome and the Manager page does not load, then clear the cache and
re-launch the browser.
The following table lists the 8.0 Central Manager / Manager client requirements when using Mac:
Mac operating system
Browser
Lion
Safari 6
Mountain Lion
14
Access the Manager through a client browser. See Client requirements for the list of supported
clients and browsers.
Set your display to 32-bit color. Right-click on the Desk Top and select Screen Resolution and go to
Advanced Settings | Monitor, and configure Colors to True Color (32bit).
Installation Guide
McAfee recommends setting your monitor's screen area to 1440 x 900 pixels. Right-click on the
Desk Top and select Screen Resolution. Set Resolution to 1440 x 900.
Browsers typically should check for newer versions of stored pages. For example, Internet Explorer,
by default, is set to automatically check for newer stored page versions. To check this function,
open your Internet Explorer browser and go to Tools | Internet Options | General. Click the Settings button
under Browsing History or Temporary Internet files, and under Check for newer versions of stored pages:
select any of the four choices except for Never. Selecting Never will cache Manager interface pages
that require frequent updating, and not refreshing these pages may lead to system errors.
If you are using Internet Explorer 8 or 9, then go to Tools | Compatibility View Settings and make sure
Display intranet sites in Compatibility View and Display all websites in Compatibility View check boxes are not
selected.
Internet Explorer settings when accessing the Manager from the server
McAfee recommends accessing the Central Manager and Manager from a client system. However,
there may be occasions when you need to manage from the server itself. To do so, you must make the
following changes to the server's Internet Explorer options.
Regardless of whether you use a client or the server, the following Internet Explorer settings must be
enabled. On Windows client operating machines, these are typically enabled by default but disabled on
server operating systems.
In the Internet Explorer, go to Tools | Internet Options | Security | Internet | Custom Level and enable the
following:
ActiveX controls and plug-ins: Script ActiveX controls marked safe for scripting
In the Internet Explorer, go to Tools | Internet Options | Privacy and ensure the setting is configured as
something below Medium High. For example, do not set it at High or at Block all Cookies. If the setting is
higher than Medium High, you will receive an Unable to configure Systems. Permission denied error
and the Manager configuration will not function.
Installation Guide
15
If you had Central Manager/Manager 7.5.5 installed, the default client side JRE version is 1.7.0.21.
You can change the client side JRE version requirement by modifying the value for
iv.ui.jre.minimum.version in the ems.properties file. The path to this file is <Manager installation
folder>\App\config. The details on how to replace the bundled client side JRE are also provided in
this file.
Database requirements
The Manager requires communication with MySQL database for the archiving and retrieval of data.
The Manager installation set includes a MySQL database for installation (that is, embedded on the
target Manager server). You must use the supported OS listed under Server requirements and must
use the Network Security Platform-supplied version of MySQL (currently 5.6.12). The MySQL database
must be a dedicated one that is installed on the Manager.
If you have a MySQL database previously installed on the Manager server, uninstall the previous version
and install the Network Security Platform version.
See also
Server requirements on page 12
16
Aggregate alert and packet log volume from all Sensors Many Sensors amount to higher alert volume and
require additional storage capacity. Note that an alert is roughly 2048 bytes on average, while a
packet log is approximately 1300 bytes.
Lifetime of alert and packet log data You need to consider the time before you archive or delete an alert.
Maintaining your data for a long period of time (for example, one year) will require additional
storage capacity to accommodate both old and new data.
Installation Guide
As a best practice, McAfee recommends archiving and deleting old alert data regularly, and attempting
to keep your active database size to about 60 GB.
For more information, see Capacity Planning, McAfee Network Security Platform Manager Administration
Guide.
Pre-installation recommendations
The server, on which the Manager software will be installed, should be configured and ready to be
placed online.
This server should be dedicated, hardened for security, and placed on its own subnet. This server
should not be used for programs like instant messaging or other non-secure Internet functions.
Make sure your hardware requirements meet at least the minimum requirements.
Ensure the proper static IP address has been assigned to the Manager server. For the Manager
server, McAfee strongly recommends assigning a static IP against using DHCP for IP assignment.
Ensure that all parties have agreed to the solution design, including the location and mode of all
McAfee Network Security Sensor, the use of sub-interfaces or interface groups, and if and how the
Manager will be connected to the production network.
Get the required license file and grant number. Note that you do not require a license file for using
Manager/Central Manager version 6.0.7.5 or above.
Accumulate the required number of wires and (supported) GBICs, SFPs, or XFPs. Ensure these are
approved hardware from McAfee or a supported vendor. Ensure that the required number of
Network Security Platform dongles, which ship with the Sensors, are available.
Crossover cables will be required for 10/100 or 10/100/1000 monitoring ports if they are directly
connected to a firewall, router, or end node. Otherwise, standard patch cables are required for the
Fast Ethernet ports.
If applicable, identify the ports to be mirrored, and someone who has the knowledge and rights to
mirror them.
Allocate the proper static IP addresses for the Sensor. For the Sensors, you cannot assign IPs using
DHCP.
Identify hosts that may cause false positives, for example, HTTP cache servers, DNS servers, mail
relays, SNMP managers, and vulnerability scanners.
See also
Server requirements on page 12
Installation Guide
17
Functional requirements
Following are the functional requirements to be taken care of:
Ensure the correct version of JRE is installed on the client system, as described in the earlier
section. This can save a lot of time during deployment.
Manager uses port 4167 as the UDP source port to bind for IPv4 and port 4166 for IPv6. If you
have Sensors behind a firewall, you need to update your firewall rules accordingly such that ports
4167 and 4166 are open for the SNMP command channel to function between those Sensors and
the Manager. This applies to a local firewall running on the Manager server as well.
Determine a way in which the Manager maintains the correct time. To keep time from drifting, for
example, point the Manager server to an NTP timeserver. (If the time is changed on the Manager
server, the Manager will lose connectivity with all Sensors and the McAfee Network Security
Update Server because SSL is time sensitive.)
If Manager Disaster Recovery (MDR) is configured, ensure that the time difference between the
Primary and Secondary Managers is less than 60 seconds. (If the spread between the two exceeds
more than two minutes, communication with the Sensors will be lost.)
If you are upgrading from a previous version, we recommend that you follow the instructions in the
respective version's release notes or, if applicable, the McAfee Network Security Platform Upgrade
Guide.
If a firewall resides between the Sensor, Manager, or administrative client, which includes a local
firewall on the Manager, the following ports must be opened:
Port #
Protocol Description
Direction of
communication
UDP
Manager-->Sensor
18
Installation Guide
Port #
Protocol Description
Direction of
communication
8501
TCP
Sensor-->Manager
8502
TCP
Sensor-->Manager
8503
TCP
8504
TCP
8506
TCP
8507
TCP
Sensor-->Manager
8508
TCP
Sensor-->Manager
8509
TCP
Sensor-->Manager
8510
TCP
Sensor-->Manager
8555
TCP
client-->Manager
443
TCP
HTTPS
client-->Manager
80
TCP
client-->Manager
(Webstart/JNLP, Console
Applets)
22
TCP
SSH
Sensor-->Manager
If you choose to use non-default ports for the Install port, Alert port, and Log port, ensure that those
ports are also open on the firewall.
Note that 3306/TCP is used internally by the Manager to connect to the MySQL database.
If you have Email Notification or SNMP Forwarding configured on the Manager, and there is firewall
residing between the Manager and your SMTP or SNMP server, ensure the following ports are
available as well.
Protocol
Description
Direction of communication
25
TCP
SMTP
Manager-->SMTP server
49
TCP
TACACS+ Integration
Sensor-->TACACS+ server
162
UDP
SNMP Forwarding
Manager-->SNMP server
389
TCP
Manager-->LDAP server
443
TCP
Manager 1 -->Manager 2
443
TCP
Manager 2-->Manager 1
514
UDP
Manager-->Syslog server
Installation Guide
19
Port #
Protocol
Description
Direction of communication
636
TCP
Manager-->LDAP server
1812
UDP
RADIUS Integration
Manager-->RADIUS server
If you have McAfee ePO integration configured on Manager, and there is firewall between Manager
and the McAfee ePO Server, ensure the following port is also allowed through firewall.
Port
Description
Communication
8443
Close all open programs, including email, the Administrative Tools > Services window, and
instant messaging before installation to avoid port conflicts. A port conflict may prevent the
application from binding to the port in question because it will already be in use.
The Manager is a standalone system and should not have other applications installed.
<Manager installation directory>\MySQL and its sub-folders. If these folders are not excluded,
Network Security Platform packet captures may result in the deletion of essential MySQL files.
20
Right-click the task called Access Protection and choose Properties from the right-click menu.
Installation Guide
Highlight the rule called Prevent mass mailing worms from sending mail.
Click Edit.
During Manager software installation, use the recommended values for memory and connection
allocation.
You will experience better performance in your configuration and data forensic tasks by connecting
to the Manager from a browser on a client machine. Performance may be slow if you connect to the
Manager using a browser on the server machine itself.
Perform monthly or semi-monthly database purging and tuning. The greater the quantity of alert
records stored in the database, the longer it will take the user interface to parse through those
records for display in the Threat Analyzer. The default Network Security Platform settings err on the
side of caution and leave alerts (and their packet logs) in the database until the user explicitly
decides to remove them. However, most users can safely remove alerts after 30 days.
It is imperative that you tune the MySQL database after each purge operation. Otherwise, the purge
process will fragment the database, which can lead to significant performance degradation.
Defragment the disks on the Manager on a routine basis, with the exception of the MySQL
directory. The more often you run your defragmenter, the quicker the process will be. Consider
defragmenting the disks at least once a month.
Do NOT attempt to defragment the MySQL directory using the operating system's defrag utility. Any
fragmentation issues in the tables are rectified when you tune the database. For more information
on database tuning, see the Manager Administration Guide.
Limit the quantity of alerts to view when launching the Threat Analyzer. This will reduce the total
quantity of records the user interface must parse and therefore potentially result in a faster initial
response on startup.
When scheduling certain Manager actions (backups, file maintenance, archivals, database tuning),
set a time for each that is unique and is a minimum of an hour after/before other scheduled
actions. Do not run scheduled actions concurrently.
Installation Guide
21
Task
1
Keep the following information handy before you begin the installation process. You must have
received the following from McAfee via email.
22
Grant Number and Password If you have not received your credentials, contact McAfee
Technical Support [http://mysupport.mcafee.com/]
Go to McAfee Update Server [https://menshen.intruvert.com/] and log on, using the Grant Number
and Password.
Go to Manager Software Updates | <required version number> folder and select the required Manager software
version.
Installation Guide
This section contains installation instructions for the Central Manager and Manager software on your
Windows server, including the installation of a MySQL database.
In this section, unless explicitly stated, Central Manager and Manager are commonly referred to as
"Manager."
Close all open programs, including email, the Administrative Tools | Services window, and instant messaging
to avoid port conflicts. A port conflict may cause the Manager program to incur a BIND error on startup,
hence failing initialization.
Close any open browsers and restart your server after installation is complete. Open browsers may be
caching old class files and cause conflicts.
IIS (Internet Information Server) and PWS (Personal Web Server) must be disabled or uninstalled
from the target server.
Task
1
Prepare your target server for Manager software installation. See Preparing for installation.
Start the Manager program. During initial client login from the Manager server or a client machine,
the required Java runtime engine software must be present for proper program functionality. See
Starting the Manager software.
Tasks
See also
Starting the Manager/Central Manager on page 3
Contents
Installing the Manager
Install the Central Manager
Log files related to Manager installation and upgrade
Installation Guide
23
Notes:
24
Ensure that the pre-requisites have been met and your target server has been prepared before
commencing installation.
You can exit the setup program by clicking Cancel in the setup wizard. Upon cancellation, all
temporary setup files are removed, restoring your server to its same state prior to installation.
After you complete a step, click Next; click Previous to go one step back in the installation process.
The Installation Wizard creates the default folders based on the Manager Type you are installing.
For example, for a first-time installation of Network Security Manager, the default location is C:
\Program Files\McAfee\Network Security Manager\App. For Network Security Central Manager,
it is C:\Program Files\McAfee\Network Security Central Manager\App. Similarly, the Wizard
creates default folders for the MySQL database as well. For the sake of explanation, this section
mentions only the folder paths for Network Security Manager unless it is necessary to mention the
path for Network Security Central Manager.
Before you begin to install, make sure the Windows Regional and Language Options are configured
accordingly. For example, if you are installing it on Windows Server 2008 R2 Standard or Enterprise
Edition, Japanese OS, SP1 (64 bit) (Full Installation), ensure that the Windows Regional and
Language Options are configured for Japanese.
When you install the Manager for the first time, it is automatically integrated with McAfee Global
Threat Intelligence to send your alert, general setup, and feature usage data to McAfee for
optimized protection. If you do not wish to send these data, then disable the integration with
Global Threat Intelligence. However, note that to be able to query McAfee GTI IP Reputation for
information on the source or target host of an attack, you need to send at least your alert data
summary to McAfee. For details, see Integration Guide.
Installation Guide
Task
1
Log onto your Windows server as Administrator and close all open programs.
Run the Manager executable file that you downloaded from the McAfee Update Server.
The Installation Wizard starts with an introduction screen. For information on downloading the
executable, see Downloading the Manager/Central Manager executable.
Installation Guide
25
Confirm your acknowledgement of the License Agreement by selecting "I accept the terms of the
License Agreement."
You will not be able to continue the installation if you do not select this option.
26
Installation Guide
Select the Manager type to choose installation of either Network Security Manager or Network Security Central
Manager.
For an upgrade, Network Security Manager or Network Security Central Manager is displayed
accordingly which you cannot change.
The Network Security Central Manager once installed cannot be converted to Network Security
Manager or vice versa.
Installation Guide
27
Restore Default Folder: resets the installation folder to the default location.
On the Desktop
You can include or remove multiple options by using the the relevant check boxes.
28
Installation Guide
Database Name:Type a name for your database. It is recommended you keep the default entry of lf
intact.
The MySQL database name can be a combination of alphabets [both uppercase (A-Z) and
lowercase (a-z)], numbers [0-9] and/or, special characters like dollar and underscore [$ _].
Database User: Type a user name for database-Manager communication; this account name is used
by the Manager. This account enables communication between the database and the Manager.
When typing a user name, observe the following rules:
- The MySQL database user name can be a combination of alphabets [both uppercase (A-Z) and
lowercase (a-z)], numbers [0-9] and/or, special characters like "~ ` ! @ # $ % - * _ + [ ] : ; ,
( ) ? { }".
- The first character must be a letter.
- Do not use null or empty characters.
- Do not use more than 16 characters.
Installation Guide
29
Database Password: Type a password for the database-Manager communication account. This
password relates to the Database User account.
- The MySQL database password can be a combination of alphabets [both uppercase (A-Z) and
lowercase (a-z)], numbers [0-9] and/or, special characters like "~ ` ! @ # $ % - * _ + [ ] : ; ,
( ) ? { }".
- Do not use null or empty characters.
This password is not the root password for database management; you will set the root password
in a subsequent step.
30
MySQL Installation Directory:Type or browse to the absolute location of your selected Manager
database. For a first-time installation, the default location is: C:\program files\McAfee\Network
Security Manager\MySQL. For upgrades, the default location is the previous installation
directory. You can type or browse to a location different from the default. However, the database
must be on the same server as the Manager.
Installation Guide
Click Next.
If you are creating a new database, Network Security Platform will ask you, through a pop-up
window, to confirm that you really want to create a new database. Click Continue to continue with the
installation.
Type the root password for your database. If this is the initial installation, type a root password and
then type it again to confirm.
The MySQL Root Password is required for root access configuration privileges for your MySQL database.
Use a combination of alphabets [both uppercase (A-Z) and lowercase (a-z)], numbers [0-9] and/or,
special characters like "~ ` ! @ # $ % - * _ + [ ] : ; , ( ) ? { }".
Do not use null or empty characters.
For security reasons, you can set a MySQL Root Password that is different from the Database Password that
you set in a previous step.
10 Choose the folder in which you wish to install the Solr database.
Installation Guide
31
The Manager uses Apache Solr for quick retrieval of data. Solr is an open-source search platform
from the Apache Lucene project. The Manager makes use of Solr to retrieve data to be displayed in
the Manager Dashboard and Analysis tabs.
For a firsttime installation, the default location is C:\Program Files\McAfee\Network Security
Manager\Solr.
The following options are available in the wizard:
Restore Default Folder: resets the installation folder to the default location.
Solr is used by the Manager to enhance database access. This helps in faster data refresh in the
Manager dashboard and monitors.
Verify that you have at least 20 GB of free space before you install Solr.
32
Installation Guide
11 Click Next.
Make sure the OS version displayed in the Customize Installation page of the Wizard is correct. If
your server is 64-bit and if the OS Version displays as 32-bit then you may not have set the
Windows Regional and Language Options to match the language of the OS. For example, if it is a
Japanese OS, then you must have configured the Regional and Language Options for Japanese. You
can access the Regional and Language Options dialog from the Windows Control Panel. If the OS
version is incorrect, then you must abort the Manager installation, change the Regional and
Language Options accordingly, and then begin the installation again.
Installation Guide
33
Number of Sensors: Select the numbers of McAfee Network Security Sensors (Sensors) to be
managed by this installation of the Manager.
Actual Maximum DB connections: Enter the maximum number of concurrent database connections
allowed from the Manager. The default is 40. The recommended number indicated above is
based on the Number of Sensors.
14 If the Manager server has multiple IPv4 or IPv6 addresses, you can specify a dedicated address
that it should use to communicate with the NSP devices.
34
Installation Guide
To specify an IP, select Use IPV4 Interface? or Use IPV6 Interface? and then select the address from the
corresponding list.
In the Wizard, the option to specify a dedicated interface is displayed only if the Manager has more
than one IPv4 or IPv6.
When configuring the sensors, you need to configure the same IP that you selected here as the
IP address used to communicate with the NSP devices.
If the Manager has an IPv6 address then you can add Sensors with IPv6 addresses to it.
Post-installation, if you want to change the dedicated IP that you already specified, you need to
re-install the Manager.
15 In the Manager Installation wizard, review the Pre-Installation Summary section for accurate folder
locations and disk space requirements. This page lists the following information:
Product Name: shows product as Manager (for both Manager and Central Manager).
Database: the type of database being used by Network Security Platform, which is MySQL.
Installation Guide
35
36
Database Installation location: the location on your hard drive where the database is to be located,
which you specified in Step 7.
Dedicated Interface: the IPv4 and IPv6 addresses that you specified for Manager-to-Sensor
communication are displayed.
Installation Guide
16 Click Install.
The Manager software and the MySQL database are installed to your target server. In case of an
upgrade, database information is synchronized during this process.
Post-installation, you can check the initdb.log (from <Manager install directory>\App) for any
installation errors. In case of errors, contact McAfee Support with initdb.log.
URL for access web-based user interface. For example, if the Manager server's computer
name is Callisto, then the url is https://Callisto
default Username
Installation Guide
37
18 Click Done.
38
Installation Guide
19 Use the shortcut icon that you created to begin using the Manager.
The Manager program opens by default in https mode for secure communication.
20 Type a valid Login ID (default: admin) and Password (default: admin123) for Network Security
Manager and Login ID (default: nscmadmin) and Password (default: admin123) for Network
Security Central Manager.
Upon initial client login, you are required to install Java applications. See Java installation for client
systems.
21 You can use the Manager Initialization Wizard to complete the basic configuration steps.
See also
Prerequisites on page 11
Download the Manager/Central Manager executable on page 21
Java installation for client systems on page 44
There can be only one active installation on a Windows machine. Every Central Manager and Manager
installation has its own MySQL database. No centralized database exists in an Central Manager setup.
Central Manager has to be of equal or higher version than the corresponding Managers.
Installation Guide
39
See also
Installing the Manager on page 23
40
dbconsistency.log: When you upgrade the Central Manager or Manager, the installed database
schema is compared against the actual schema of the version you are upgrading to. This
comparison is to check for any inconsistencies. The details of this comparison are logged to this file
as error, warning, and informational messages. This file is stored at <Central Manager or
Manager install directory>\App. You can verify this log to check if any database inconsistency
is the cause of an issue. This file is updated whenever you upgrade the Central Manager or
Manager.
Installation Guide
Installation Guide
41
42
Installation Guide
This section assumes you have permissions granting you access to the software. In Network Security
Platform, this translates to a Super User role at the root admin domain. Your actual view of the
interface may differ, depending on the role you have been assigned within Network Security Platform.
For example, certain tasks may be unavailable to you if your role denies you access. If you find you
are unable to access a screen or perform a particular task, consult your Network Security Platform
Super User.
For testing purposes, you can access the Manager from the server. For working with the Manager/
Central Manager, McAfee recommends that you access the server from a client machine. Running the
Manager/Central Manager interface client session on the server can result in slower performance due to
program dependencies, such as Java, which may consume a lot of memory.
Make sure the following services are running on the Manager server:
McAfee Network Security Manager Watchdog. The default Windows Startup Type for this service is
manual. So, you might have to manually start this service.
McAfee Network Security Central Manager Watchdog. The default Windows Startup Type for this
service is manual. So, you might have to manually start this service.
You can follow one of these methods to start the Manager, Database, User Interface, and Watchdog
services:
Select Start | Settings | Control Panel. Double-click Administrative Tools, and then double-click Services.
Locate the services starting with McAfee Network Security Manager.
Right-click on the Manager icon at the bottom-right corner of your server and start the required
service. The database service is not available with this option.
Installation Guide
43
Open the Manager using the shortcut icon that you created during installation.
The interface opens in an Internet Explorer window in HTTPS mode for secure communication.
Tasks
Contents
Accessing the Manager from a client machine
Java installation for client systems
Authentication of access to the Manager using CAC
Shut down the Manager/Central Manager services
Start your browser (Internet Explorer 8.0 9.0 or 10, or Firefox 7.0) and then type the URL of the
Manager server:
https://<hostname or host-IP>
44
Installation Guide
When a smart card reader is connected to your Manager client, and a user swipes a smart card, the
card reader authenticates if the digital certificate and the user information are trusted and valid. If the
user information is trusted, the client browser retrieves the certificate from CAC, with the help of the
CAC software and sends it to the Manager. The Manager receives the certificate, verifies if the
certificate issued is from a trusted Certificate Authority (CA). If the certificate is from a trusted CA, a
secure session is established and the user is permitted to log on.
At a high level, authenticating user access to the Manager through CAC can be brought about by a
4-step process:
Open the command prompt, locate the OpenSSL/bin folder, and execute the following command:
openssl x509 -in <XXX.cer> -inform DER -out <YYY.pem> -outform PEM
All the PEM-encoded certificate can be combined into one master CA file, and the SSLCACertificateFile
must contain a list of Root CA's and intermediary CA's that are trusted by the Manager.
Connect the smart card reader to your Manager client through a USB port.
The smart card reader can be connected to a Manager server, if the server doubles up as a
Manager client.
a
Refer the card reader manufacturer's recommendations for the necessary device drivers to be
installed.
Install the ActivIdentify and ActivClient CAC software on the Manager client.
These software are provided to you along with the card reader device and help validate the
digital certificate and user information stored in the card.
McAfee currently supports integration with smart card reader model SCR3310 from TxSystems.
Open the CAC Client software | Smart Card Info | User Name.
The user name is a combination of alphanumeric characters and a few special characters like "." or
spaces. For example, "BROWN.JOHN.MR.0123456789"
Log onto the Manager and create a user with the exact same name that is, "BROWN.JOHN.MR .
0123456789".
Installation Guide
45
Task
1
Set SSLCACertificateFile attribute to point to the file containing the trusted CA Certificates.
Restart both the McAfee Network Security Manager service and the McAfee Network Security
Manager User Interface service.
For details on how to close client connections, stop/ restart the Manager services etc.
46
Installation Guide
Troubleshooting tips
If the card is not inserted in the card reader, the Manager will not be accessible in this setup.
When authenticating users through CAC, you do not have to enter your Manager user name and
password while logging on.
If you are locked out after entering invalid PIN, you can use the ActivClient CAC software to get a new
PIN.
If you are unable to view the Manager Login page after CAC authentication has been enabled, it
means that the CAC certificate was NOT signed by a trusted CA listed in the SSLCACertificateFile. To
remedy the problem, import the relevant CA into the SSLCACertificateFile trusted CA list.
You have imported the relevant CA into the SSLCACertificateFile trusted CA list, and yet you are
unable to view the Manager Login page, then check whether a firewall is blocking your access to
destination port 444 on the Manager server.
If you are able to view the Manager Login page but are unable to log onto the Manager, it means
that the user name on the CAC card does not match the user name in the Manager database. To
remedy the problem, verify that the user name on the CAC card exactly matches the Manager user
name.
Tasks
Shut down using the Network Security Platform system tray icon on page 48
See also
Close all the client connections on page 48
Installation Guide
47
Stop the McAfee Network Security Central Manager User Interface service.
In the Dashboard, view the Manager Summary to view the currently logged on users.
Ask the users to close all Manager windows such as Threat Analyzer and Manager Home page and
log out of all open browser sessions.
Right-click the Manager/Central Manager icon in your System Tray. The icon displays as an "M"
enclosed within a shield.
Select Stop Network Security Manager Service or Stop Central Manager Service. Once this service is completely
stopped, continue to the next step.
48
Installation Guide
Open Services.
Find and select McAfee Network Security Manager Database or McAfee Network Security Central
Manager Database in the services list under the "Name" column.
Click the Stop Service button. Once this service is completely stopped, continue to the next step.
Open Services.
Select Network Security Manager Service or Network Security Central Manager Service in the services list under the
Name column.
Installation Guide
49
Find and select McAfee Network Security Manager Database or McAfee Network Security Central Manager Database in
the services list under the "Name" column.
Click the Stop Service button. Once this service is completely stopped, continue to the next step.
50
Installation Guide
Adding a Sensor
After installing the Manager software and a successful logon session, the next step is to add one or
more Sensors to the Manager. For more information on configuring a Sensor, see McAfee Network
Security Platform CLI Reference Guide and McAfee Network Security Platform IPS Administration
Guide.
Contents
Before you install Sensors
Cable specifications
Configuration of a Sensor
Device licenses
Deployment of McAfee Network Security Platform [formerly McAfee IntruShield ] requires basic
knowledge of your network to help determine the level of configuration and amount of installed
Sensors and McAfee Network Security Manager (Manager) required to protect your system.
The Sensor is purpose-built for the monitoring of traffic across one or more network segments.
Installation Guide
51
Adding a Sensor
Before you install Sensors
Safety measures
Please read the following warnings before you install the product. Failure to observe these safety
warnings could result in serious physical injury.
Read the installation instructions before you connect the system to its power source.
To remove all power from the Sensor, unplug all power cords, including the redundant power cord.
Only trained and qualified personnel should be allowed to install, replace, or service this equipment.
The Sensor has no ON/OFF switch. Plug the Sensor into a power supply ONLY after you have completed
rack installation.
Before working on equipment that is connected to power lines, remove jewelry (including rings,
necklaces, and watches). Metal objects will heat up when connected to power and ground and can
cause serious burns or weld the metal object to the terminals.
This equipment is intended to be grounded. Ensure that the host is connected to earth ground during
normal use.
Do not remove the outer shell of the Sensor. Doing so will invalidate your warranty.
Do not operate the system unless all cards, faceplates, front covers, and rear covers are in place. Blank
faceplates and cover panels prevent exposure to hazardous voltages and currents inside the chassis,
contain electromagnetic interference (EMI) that might disrupt other equipment, and direct the flow of
cooling air through the chassis.
To avoid electric shock, do not connect safety extra-low voltage (SELV) circuits to telephone-network
voltage (TNV) circuits. LAN ports contain SELV circuits, and WAN ports contain TNV circuits. Some LAN
and WAN ports both use RJ-45 connectors. Use caution when connecting cables.
This equipment has been tested and found to comply with the limits for a Class A digital device,
pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against
harmful interference when the equipment is operated in a commercial environment. This equipment
generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance
with the instruction manual, may cause harmful interference to radio communications. Operation of this
equipment in a residential area is likely to cause harmful interference in which case the user will be
required to correct the interference at his own expense.
Fiber-optic ports
Fiber-optic ports (for example, FDDI, OC-3, OC-12, OC-48, ATM, GBIC, and 100BaseFX) are
considered Class 1 laser or Class 1 LED ports.
These products have been tested and found to comply with Class 1 limits of IEC 60825-1, IEC
60825-2, EN 60825-1, EN 60825-2, and 21CFR1040.
To avoid exposure to radiation, do not stare into the aperture of a fiber-optic port. Invisible radiation
might be emitted from the aperture of the port when no fiber cable is connected.
Usage restrictions
The following restrictions apply to the use and operation of a Sensor:
52
You may not remove the outer shell of the Sensor. Doing so will invalidate your warranty.
Installation Guide
Adding a Sensor
Cable specifications
McAfee prohibits the use of the Sensor appliance for anything other than operating the Network
Security Platform.
McAfee prohibits the modification or installation of any hardware or software in the Sensor
appliance that is not part of the normal operation of the Network Security Platform.
Verify you have received all parts. These parts are listed on the packing list and in Contents of the
Sensor box, below.
Save the box and packing materials for later use in case you need to move or ship the Sensor.
See also
Contents of the Sensor box on page 53
One Sensor
One power cord. McAfee provides a standard, 2m NEMA 5-15p (US) power cable (3 wire).
International customers must procure a country-appropriate power cable with specific v/a ratings.
Fail-closed dongles (two for the I-1200, four for the I-1400, six for I-2700).
Release notes.
Cable specifications
This section lists the specifications for all cables to use with McAfee Network Security Sensor (Sensor).
Installation Guide
53
Adding a Sensor
Cable specifications
Signal
Direction on Sensor
DCD
Output
RXD
Output
TXD
Input
DTR
Input
GND
not applicable
DSR
Output
RTS
Input
CTS
Output
No Connection
Not applicable
54
Pin #
Signal
Direction on Sensor
DCD
Input
RXD
Input
Installation Guide
Adding a Sensor
Cable specifications
Pin #
Signal
Direction on Sensor
TXD
Output
DTR
Output
GND
n/a
DSR
Input
RTS
Output
CTS
Input
RI
Input
Signal
Direction on Sensor
TxD+
Output
TxD-
Output
RxD+
Input
These pins are terminated to ground through a 75 ohm resistor & capacitor.
5
6
RxD-
Input
These pins are terminated to ground through a 75 ohm resistor & capacitor.
8
Category 5 Enhanced (Cat 5e) cable is required for transmission speeds up to 1 Gigabit per second
(Gigabit Ethernet). For Ethernet networks running at 10 or 100 Mbps, Category 5 (Cat 5) OR Cat 5e
cable can be used.
Throughout this guide, cabling specifications will be mentioned as Cat 5/Cat 5e.
Signal
Direction on Sensor
TxD+
Output
TxD-
Output
RxD+
Input
These pins are terminated to ground through a 75 ohm resistor & capacitor.
5
6
RxD-
Input
These pins are terminated to ground through a 75 ohm resistor & capacitor.
Installation Guide
55
Adding a Sensor
Configuration of a Sensor
See also
Gigabit Ethernet (GE) ports on page 56
Fast Ethernet (FE) 10/100/1000 ports on page 56
Signal
Direction on Sensor
TxD+ FO
TxD- FO
RxD+
Input
TxD+ FC
TxD- FC
RxD-
These pins are terminated to ground through a 75 ohm resistor & capacitor.
Input
Configuration of a Sensor
This section describes how to configure a McAfee Network Security Sensor (Sensor). This information
is generic to all Sensor appliance models.
The information presented in this chapter was developed based on devices in a specific lab
environment. All Sensors used in this document started with a cleared (default) configuration. If you are
working in a live network, please ensure that you understand the potential impact of any command
before using it. For more information on the available Sensor CLI commands, see the McAfee Network
Security Platform CLI Reference Guide.
Configuration overview
At a high level, the process of configuring the Sensor involves the following steps. Detailed
instructions follow in subsequent sections of this chapter.
Task
56
Install and bring up the Sensor. (This information is described in detail in the Product Guide for
each Sensor model.)
Installation Guide
Adding a Sensor
Configuration of a Sensor
Add the Sensor to Manager using the McAfee Network Security Manager (Manager) Configuration
page.
Configuring the Sensor with a unique name and shared key value.
Configuring the Sensor's network information (for example, IP address and netmask, Sensor name,
and so on).
Verify that the Sensor is on the network. (See Configuring the Sensor)
Verify connectivity between the Manager and the Sensor. (See Verifying successful configuration)
See also
Establishment of a Sensor naming scheme on page 57
Add a Sensor to the Manager on page 57
Configure the Sensor on page 58
Verification of successful configuration on page 61
Installation Guide
57
Adding a Sensor
Configuration of a Sensor
In the System page, select the Domain to which you want to add the Sensor and then select Global |
Add and Remove Devices | New.
The Add New Device form appears.
If you are moving a Sensor to a new environment and wish to wipe the Sensor back to its factory
default settings, start by typing factorydefaults from the CLI. See the McAfee Network Security
Platform CLI Reference Guide for specific details on the usage of command.
58
Installation Guide
Adding a Sensor
Configuration of a Sensor
Task
1
Open a hyperterminal session to configure the Sensor. (For instructions on connecting to the
Console port, see the section Cabling the Console Port, in the McAfee Network Security Platform
Product Guide for your Sensor model.)
At the login prompt, log on to the Sensor using the default username
admin and password admin123.
McAfee strongly recommends that you change the default password later for security purposes
as described in Step 9.
By default, the user is prompted for configuration set up, immediately after login. Else, the user can
choose to start the setup later from command prompt using the setup command. For more
information, see the McAfee Network Security Platform CLI Reference Guide.
Set the IP address and subnet mask of the Sensor. At the prompt, type:
set sensor ip <A.B.C.D> <E.F.G.H>
Specify a 32-bit address written as four eight-bit numbers separated by periods as in
<A.B.C.D>
where:
For example,
set sensor ip 192.34.2.8 255.255.255.0 Or Specify an IPv6 address as given below:
set sensor ipv6 <A:B:C:D:E:F:G:H/I>
where:
If one or more four-digit group(s) is 0000, the zeros may be omitted and replaced with two colons
(::). For example, set sensor ipv6 2001:0db8:8a2e::0111/64
Setting the IP address for the first timethat is, during the initial configuration of the Sensordoes
not require a Sensor reboot. Subsequent changes to the IP address will, however, require that you
reboot the Sensor for the change to take effect. If a reboot is necessary, the CLI will prompt you to
do so. For information on rebooting, see Conditions requiring a Sensor reboot, McAfee Network
Security Platform Troubleshooting Guide.
If the Sensor is not on the same network as the Manager, set the address of the default
gateway
Installation Guide
59
Adding a Sensor
Configuration of a Sensor
Note that you should be able to ping the gateway (that is, gateway should be reachable). At the
prompt, type: set sensor gateway <A.B.C.D>
Use the same convention as the one for Sensor IP address. For example, set sensor gateway
192.34.2.8
Or Specify an IPv6 address of the gateway for the Manager server as given below:
set sensor gateway-ipv6 <A:B:C:D:E:F:G:H>
where:
If one or more four-digit group(s) is 0000, the zeros may be omitted and replaced with two colons
(::)
For example, set sensor gateway-ipv6 2001:0db8:8a2e::0111
6
If one or more four-digit group(s) is 0000, the zeros may be omitted and replaced with two colons
(::). For example: set manager ip 2001:0db8:8a2e::0111
7
Ping the Manager from the Sensor to determine if your configuration settings to this point have
successfully established the Sensor on the network. At the prompt, type: ping <manager IP
address>
The success message " host <ip address> is alive " appears. If not, type show to verify your configuration
information and check to ensure that all information is correct. If you run into any difficulties, see
McAfee Network Security Platform Troubleshooting Guide.
Set the shared key value for the Sensor. This value is used to establish a trust relationship between the
Sensor and the Manager.
At the prompt, type:
set sensor sharedsecretkey
The Sensor then prompts you to enter a shared secret key value. Type the shared secret key value
at the prompt. The Sensor then prompts you to verify the value. Type the value again.
The shared secret key value must be between 8 and 25 characters of ASCII text. The shared secret
key value is case-sensitive. For example, IPSkey123
60
Installation Guide
Adding a Sensor
Configuration of a Sensor
(Optional, but recommended) Change the Sensor password. At the prompt, type:
passwd
The Sensor prompts you to enter the new password and prompts you for the old password.
A password must be between 8 and 25 characters, is case-sensitive, and can consist of any
alphanumeric character or symbol.
McAfee strongly recommends that you choose a password with a combination of characters that is
easy for you to remember but difficult for someone else to guess.
On the Sensor, type status (For more information on the status command, see the McAfee
Network Security Platform CLI Reference Guide.)
In the Manager Dashboard, check the System Health status. (See if the Sensor is active. If the link
is yellow, click on the cell to see the System Faults on the Sensor. For more information on this
process, see McAfee Network Security Platform Manager Administration Guide.)
In the Manager, click System and select the Domain to which the Sensor belongs. Then click Devices
and select the Sensor. Then go to Setup | Monitoring Ports.. Look at the color of the button(s)
representing the ports on the Sensor, and check the color legend on the screen to see the status of
the Sensor's ports. (For more information on this process, see McAfee Network Security Platform
Manager Administration Guide.)
If you have difficulty in troubleshooting the above, see McAfee Network Security Platform
Troubleshooting Guide. Also, see McAfee Network Security Platform CLI Reference Guide for a
description of all available CLI commands.
Sensor name
Changing a Sensor's name requires you to delete it from the Manager and re-add it, or in other
words, re-configure the Sensor from the beginning. For instructions, see Add the Sensor to Manager
and then Configuring the Sensor.
Manager IP
See also
Add a Sensor to the Manager on page 57
Configure the Sensor on page 58
Installation Guide
61
Adding a Sensor
Configuration of a Sensor
Type the Sensor Shared Secret. (This value must match the value set for the Sensor in the Manager
interface.)
For example, set sensor sharedsecretkey. The Sensor then prompts you to enter a shared
secret key value. Type the shared secret key value at the prompt. The Sensor then prompts you to
verify the value. Type the value again.
The shared secret key value must be between 8 and 25 characters of ASCII text. The shared secret
key value is case-sensitive. For example, IPSkey123.
If you changed the Sensor IP address, then you must reboot the Sensor.
Type reboot. You must confirm that you want to reboot the Sensor.
62
Installation Guide
Adding a Sensor
Device licenses
Device licenses
No license file is required for enabling IPS on I-series and M-series Sensors; no license is required for
enabling NAC on N-450 Sensors. In other words, when you add a Sensor to the Manager, upon
discovery, the native functionality supported on the Sensor model is automatically enabled.
You require an add-on license to enable NAC on M-series Sensors. You can import/assign the license
using the Licenses page. In the Manager, click Manage and select the Domain. Then go to Setup | Licenses
page.
Description/Cause
Action failed
Installation Guide
63
Adding a Sensor
Device licenses
64
Installation Guide
This section discusses the concepts and configuration instructions for managing devices like the
Sensors and the NTBA Appliance using the Manager resource tree.
The Devices page can be accessed from the menu bar of the Manager. This page allows you to manage
the group of Network Security Sensors and/or NTBA Appliances integrated with the Manager. The
configuration settings for a specific domain specified under the Global tab sets general rules that are
applied by default to all physical devices added within the Manager. These added devices appear in the
list of devices visible in the Device drop down. These devices adopt the parent domains' general rules.
See also
Deploy pending changes to a device on page 81
Contents
Install Sensors using the wizard
Possible actions from the device list nodes
Specify proxy server for internet connectivity
Configure NTP server
Installation Guide
65
You can install I-series and M-series Sensors using the wizard.
You can change port configuration (inline, tap, and span) and other configuration per port such
as, full duplex, speed, and apply policy per port, and finally push configuration changes.
There is no NAC support for I-series Sensor.
For an IPS Sensor, you can change port configuration (inline, tap and span) and other
configuration per port such as, full duplex, speed, and apply policy per port and finally push
configuration changes.
If the Sensor has a NAC license, you can also configure McAfee ePO server (if IBAC is enabled)
and set IP, gateway, mask, and VLAN (if audit log is enabled) per port for discovered Sensor. At
the end of the wizard installation, users can push configuration changes to the Sensor.
You can also configure ePO server (if IBAC is enabled) and set IP, gateway, mask, and VLAN ( if
audit log is enabled) per port for discovered Sensor. At the end of the wizard installation, users
can push configuration changes to the Sensor.
From Manager, go to Devices | <Admin domain name> | Global | Add Device Wizard to invoke the Add New Device
wizard.
To exit the wizard at any time, click the Global tab.
Click Next.
66
Installation Guide
Task
1
Importing Signature sets from a Local Directory You can import the signature set into Manager from a
local directory.
Downloading the latest Signature set from McAfee Update Server -- You can download the latest signature set
from McAfee Network Security Update Server (Update Server).
Skip Update Server authentication and signature set download -- Use this option to continue with the default
signature set that you received along with the Manager installation.
The Choose signature set method page displays the version of the current signature set available
on the Manager.
Click Next.
Tasks
In the Choose signature set update method page, select McAfee Update Server option.
Click Next.
The Authentication page is displayed.
Click Next.
The available signature sets are listed.
Select the required signature set version and then click Next.
The Signature set download status page is displayed.
In the Choose signature set update method page, select the Import signature set from local directoryoption.
Click Next.
The Import Attack Set page is displayed.
Installation Guide
67
Click Next.
The Import Status is displayed.
After the signature set has been pushed, the Add a Sensor page is displayed.
Click Devices | <Admin Domain> | Global | Add and Remove Devices. Click New.
Enter the Sensor Type, IPS or NAC Sensor, Virtual HIP Sensor or NTBA Appliance.
10 digits: 0 1 2 3 4 5 6 7 8 9
68
Installation Guide
Click Save.
Click Next.
You can select the Sensor and click Edit to edit the Sensor settings.
Open a HyperTerminal session to configure the Sensor. This task is performed to establish the trust
with the Sensor
For instructions, see Cabling the Console Port, McAfee Network Security Platform Sensor Product
Guide for your Sensor model.
2
At the login prompt, log on to the Sensor using the default username
admin and password admin123.
McAfee strongly recommends that you change the default password later for security purposes.
Set the name of the Sensor. At the prompt, type: set Sensor name <WORD>
Example: set Sensor name Engineering_Sensor1.
The Sensor name is a case-sensitive alphanumeric character string up to 25 characters. The string
can include hyphens, underscores, and periods, and must begin with a letter.
Installation Guide
69
Set the IP address and subnet mask of the Sensor. At the prompt, type: set Sensor ip <A.B.C.D>
<E.F.G.H>
Specify a 32-bit address written as four octets separated by periods: X.X.X.X, where X is a number
between 0-255. For example: set Sensor ip 192.34.2.8 255.255.255.0
Setting the IP address for the first time-that is, during the initial configuration of the Sensor-does
not require a Sensor reboot. Subsequent changes to the IP address will, however, require that you
reboot the Sensor for the change to take effect. If a reboot is necessary, the CLI will prompt you to
do so. For information on rebooting, see the McAfee Network Security Platform Troubleshooting
Guide.
If the Sensor is not on the same network as Manager, set the address of the default gateway. At
the prompt, type: set Sensor gateway <A.B.C.D>
Use the same convention as the one for Sensor IP address. For example: set Sensor gateway
192.34.2.8.
Ping Manager from the Sensor to determine if your configuration settings to this point have
successfully established the Sensor on the network. At the prompt, type:
ping <manager IP address>.
If the ping is successful, continue with the following steps. If not, type show to verify your
configuration information and check to ensure that all information is correct. If you run into any
difficulties, see the McAfee Network Security Platform Troubleshooting Guide.
Set the shared key value for the Sensor. This value is used to establish a trust relationship between
the Sensor and Manager. At the prompt, type:
set Sensor sharedsecretkey.
The Sensor then prompts you to enter a shared secret key value. Type the shared secret key value
at the prompt. The Sensor then prompts you to verify the value. Type the value again.
The shared secret key value must be between 8 and 25 characters of ASCII text. The shared secret
key value is case-sensitive. Example: IPSkey123
(Optional, but recommended) Change the Sensor password. At the prompt, type:
passwd.
The Sensor prompts you to enter the new password and prompts you for the old password.
The password must be a minimum of 8 characters in length, and can be upto 25 characters long.
The characters that can be used while setting a new password are:
26 alphabets: both upper and lower case are supported (a,b,c,...z and A, B, C,...Z)
10 digits: 0 1 2 3 4 5 6 7 8 9
70
Installation Guide
11 Switch back to the Sensor Installation Wizard to continue with the Sensor installation. At this point
you are on the Sensor Discovery page.
12 Click Next.
Description
Back
Cancel
Re-try Discovery
Next
Moves you to the Edit Port configuration to Sensor page to configure port for a Sensor.
Click Edit.
Select the mode of operation for the port from the Operation Mode list:
Inline Fail-Open
Internal Tap
Span or Hub
Inline Fail-Close
Specify whether you want to connect the port from inside or outside using the Port Connected Network
list.
Not specified
Click Next.
The Assign policies to Sensor page is displayed. Select the policy from the list of policies and apply them
to the Sensor.
Installation Guide
71
Select a policy and apply them to Sensor, default policy applied is Default Inline IPS policy.
If required, change the applied policies for the interfaces on the Sensor.
All interfaces inherit a policy from the Sensor by default. The Sensor inherits the policy from the
parent admin domain, and takes the default Inline IPS policy by default.
Click Next.
The Signature Set Push Statuspage is displayed.
Click Next.
The Sensor Installation Summary page is displayed.
Description
Sensor Name
Sensor Model
Model of Sensor
Trust Status
Interface Name
Operation Status
IP
Mask
Gateway
VLAN ID
Task
1
Click Done.
Installation Wizard welcome page is displayed to enable you to install another Sensor.
72
Installation Guide
Managing Devices Add devices to the Manager; accept communication from an initialized,
physically installed and network-connected devices like IPS Sensors, NAC Sensors, NTBA
Appliances or virtual HIP Sensors to the Manager.
Updating the configuration of all devices All changes done via the Configuration page that apply to
your Sensors are not pushed until you perform a Device List | Configuration Update | Update(all Sensors in
a domain) or Device List >Sensor_Name | Configuration Update | Update(single Sensor) action.
Updating software to all devices Download software and signature files from the Manager via
McAfee Network Security Update Server [formerly IPS Update Server]
Installation Guide
73
Item Description
1
Host Intrusion Prevention node - displayed when integration with McAfee Host Intrusion
Prevention is enabled.
Current navigation
See also
Deploy pending changes to a device on page 81
Update the latest software images on all devices on page 82
74
Installation Guide
Click Next.
The Add New Device page is displayed.
Installation Guide
75
10 digits: 0 1 2 3 4 5 6 7 8 9
IMPORTANT: The device name and shared secret are case-sensitive. The Device Name and Shared Secret
must also be entered on the device command line interface (CLI) during physical installation and
initialization. If not, the device will not be able to register itself with the Manager.
6
Click Next.
The Trust Establishment page is displayed.
Follow the instructions on the page to complete the command line interface (CLI) setup and click
Check Trust.
Using the command line interface (CLI), enter the necessary information for the device identification
and communication as described in the McAfee Network Security Platform Installation Guide. If you
set up the device first, you will need to return to the device after the Manager addition to reset the
shared secret key and begin device-to-Manager communication.
10 Click Next.
The Next button will be enabled once the trust between the device and the Manager is established.
14 Select the Enable Application Identifier? check box for the required ports. Click Next.
76
Installation Guide
Installation Guide
77
Task
1
The Add Device Wizard window is displayed after the Manager Initialization Wizard is completed.
McAfee recommends adding an Appliance to the Manager first.
Click Next.
The Add New Device page is displayed.
78
10 digits: 0 1 2 3 4 5 6 7 8 9
Installation Guide
Click Next.
Follow the instructions on the page to complete the command line interface (CLI) setup and click
Check Trust.
Using the command line interface (CLI), enter the necessary information for the Appliance
identification and communication as described in the McAfee Network Security Platform Installation
Guide. If you set up the Appliance first, you will need to return to the Appliance after the Manager
addition to reset the shared secret key and begin Appliance-to-Manager communication.
10 Click Next.
The Next button will be enabled once the trust between the Appliance and the Manager is
established.
Installation Guide
79
19 Click Finish.
The NTBA Appliance appears added under the Device drop-down list in the Devices tab. It also
appears in the Add and Remove Devices in the Global tab.
Click Edit.
See also
Options available in the devices page on page 74
80
Installation Guide
Last Update Last day and time device configuration was updated
Updating Mode Online or offline update mechanism selected for the device
Configuration & Signature Set A selected checkbox indicates that the device is to be updated for any
configuration change other than those related to SSL key management
Installation Guide
81
Click Update.
If more than one device is being updated, devices are updated one at a time until all downloads are
complete.
Click Refresh to see the new device software version after restart.
See also
Possible actions from the device list nodes on page 73
Configuration of devices using the Manager on page 4
To select a Sensor for update, select the check boxes (for the specific Sensor) in the Upgrade
column.
The Manager provides this option to concurrently perform the software upgrade for multiple
Sensors.
To select a Sensor for reboot, select the check boxes (for the specific Sensor) in the Reboot column.
By default the Reboot option is disabled. It gets enabled only after you select the Sensor(s) in the
Upgrade column. This option triggers a full reboot even if hitless reboot option is available for the
corresponding Sensors. The Reboot option can also be disabled if required.
82
Installation Guide
The Offline Upgrade Files is used to update and export Offline Sensors.
Refresh enables you to see the new Sensor software version after reboot.
Clear Status is used for clearing the cached status.
See also
Possible actions from the device list nodes on page 73
Download software update files for offline devices on page 83
See also
Configure a new device for offline signature set update on page 84
Update configuration for offline devices on page 85
Update software for offline devices on page 86
Configure an existing device for offline signature set update on page 84
Export software for offline devices on page 85
Export software for offline devices on page 87
Update the latest software images on all devices on page 82
Installation Guide
83
Click New.
The Add New Device page is displayed.
Enter a name against Device Name, Select IPS or NAC Sensor against Device Type, Enter Shared Secret and
Confirm Shared Secret.
See also
Download software update files for offline devices on page 83
Click Devices | <Admin Domain> | Global | Add and Remove Devices to view the list of devices configured.
Select the device and click Edit. Select Offline against Updating Mode and click Save.
The information box confirms a successful edit. The device is configured for Offline update.
The Updating Mode configured on the Primary device of the Failover - Pair determines the signature file
generation for download.
If the Primary device is configured for Offline Updating Mode, then two individual signature files are
generated for Primary and Secondary devices, irrespective of the Secondary device configuration.
If the Primary device is configured for Online Updating Mode, then signature file will be downloaded
online to both devices, irrespective of the Secondary device configuration.
84
Installation Guide
See also
Download software update files for offline devices on page 83
The list of devices for which configuration can be downloaded are listed under Configuration Update.
Select the Configuration Update check box against the device listed as Offline in the Updating Mode column.
Click Update.
The update is listed under Sigfile for Offline Sensors in the Configuration Update tab on the Device List node
and is ready for export.
The Updating Mode configured on the Primary device of the Fail Over - Pair determines the signature
file generation for download.
If the Primary device is configured for OfflineUpdating Mode, then two individual signature files are
generated for Primary and Secondary device, irrespective of the secondary device configuration.
If the Primary device is configured for OnlineUpdating Mode, then signature file will be downloaded
online to both devices, irrespective of the secondary device configuration.
See also
Download software update files for offline devices on page 83
Select radio button under the Export File column in the device listed under Available Configuration Files for
Offline Devices. Click Export.
Select the Save File option. Click OK and save the signature file in the desired location in the local
machine.
Tasks
Installation Guide
85
See also
Download software update files for offline devices on page 83
Connect to the device through CLI and configure the tftp server IP.
Once the signature file is copied on to the device, check with "downloadstatus" command in the CLI
to get the status.
86
Installation Guide
The list of devices for which software can be downloaded are listed under Deploy Device Software table.
Select the checkbox against the device listed as Offline in the Upgrade column. Click Update.
Figure 6-14
The update is listed under Available Configuration Files for Offline Devices in the Configuration Update table is
ready for export.
See also
Download software update files for offline devices on page 83
Click Devices | <Admin Domain> | Devices | <Device Name> | Maintenance | Export Configuration.
Select all required configuration that you wish to export and click Export column.
Select the Save File option. Click OK and save the device software in the desired location.
Tasks
See also
Download software update files for offline devices on page 83
Installation Guide
87
Import the device image jar file on to the Manager, using Manage | Updating | Manual Import.
Click Deploy Device Software, which is also located under the Updating tab.
Select the device and image to apply and click Upgrade. The offline image is generated in the same
page below, under Available Upgrade Files for Offline Devices.
Once the imagefile copied on to the device (it takes some time), check with "downloadstatus"
command in the CLI to get the status.
88
I-4010
6A and 6B
I-4000
2A and 2B
I-3000
6A and 6B
I-2700
I-1400
I-1200
Installation Guide
M-8000
3A and 3B
M-6050
M-4050
2A
M-3050
2A
M-2750
M-1450
4A
M-1250
4A
NS9100
G0/1
NS9200
G0/1
NS9300
N-550
6A and 6B
N-450
Select the Model. Both devices in a failover pair must be the same model.
Type a failover pair Name that will uniquely identify the grouping.
Installation Guide
89
Enable or disable Fail open for the failover pair as per your requirement. By default, it is disabled.
Click Create; click Cancel to abort. Upon saving, a message informs you that the failover pair creation
will take a few moments. Click OK. The new failover pair will appear as a child node of the devices
node under which it was created.
If you have created a failover pair while maintaining an open Threat Analyzer window, the Threat
Analyzer will continue to report alerts from both the Primary and Secondary devices, respectively,
identifying each device by the given device name and not by the name of the failover pair. This may
cause confusion in the event that both devices detect identical alerts. (In true failover operation, if
both devices detect the same alert, only one alert instance is reported with the name of the failover
pair as the identifying device.) Restart the Threat Analyzer for proper alert reporting. The same is
true in reverse if a failover pair is deleted. You must restart the Threat Analyzer to view alerts
separately from each device.
Tasks
Select the Manage Cluster Configuration tab for the failover pair interface. (Failover-Pair-Name | Physical Failover
Pair | Cluster Settings)
Click Submit.
90
Installation Guide
Click Browse to browse and select the appropriate license for the device file (.jar format) received
from McAfee. Click Import to import the license file.
After a successful import, these licenses are stored in <Network Security Manager install
directory>\App\LICENSES\SensorLicense.
If the license has a serial number, the Manager automatically binds the license with the matching
device model added to the Manager.
Error raised if incorrect license file is selected for import
Error
Description/Cause
Action failed
The following error is raised if an incorrect license file is selected for import.
Change in License due to purchase of additional functionality
If you upgrade from a temporary license or if you opt to upgrade your device to use additional
functionality for example, from IPS to IPS and NAC, you need to change the device license by
importing a new device license that can overwrite the existing one. This can be done through the
Manager during a Manager session. You do not have to log out of an open Manager session to
install the new license.
Tasks
Installation Guide
91
92
Enter the Proxy Server Name or IP Address. This can be either IPv4 or IPv6 address.
Installation Guide
Provide the appropriate URL. You may test to ensure that the connection works by entering a Test
URL and clicking Test Connection.
When the Manager or the device makes a successful connection, it displays a message indicating
that the proxy server settings are valid.
Select Devices | <Admin Domain Name> | Global | Default Device Settings | Common | NTP.
The NTP Server page appears.
The NTP can also be configured for each device as well.
To enable communication with the NTP server, select Enable NTP Server?
To stop NTP from the Manager, unselect this option.
Configure the two NTP servers: the Sensor will use one of the configured NTP severs based on least
RTT (Round-Trip Time).
a
Enter the Polling Interval. The range is 3 ~ 17. The configured polling interval is applied as 2^x
seconds (2 power x).
Installation Guide
93
Click on the Test Connection button to check the connectivity to the NTP server. The status of the
connectivity tests is displayed in the NTP page.
94
Installation Guide
The Devices tab in the Devices page represents the physical Sensor installed in your network. Each
device is a uniquely named (by you) instance of a Sensor. All actions available in the <Device_Name>
page customize the settings for a specific Sensor.
After properly installing and initializing a Sensor, then adding the Sensor to the Manager, it appears in
the Device drop down list, where it was added, and inherits all of the configured device settings. After
adding a device, the device can be specifically configured to meet user requirements by selecting the
uniquely named device node.
For more information on interfaces and subinterfaces, see Network Security Platform IPS
Administration Guide.
Many device configurations performed within the Devices page do not immediately update to the
devices. You must perform either update the configuration of all devices or the specific device to push
the configuration information from Manager to your device.
The <Device_Name> page for a Sensor in general contains Summary, Policy, Setup, Maintenance, Troubleshooting,
Deploy Configuration Changes, and IPS Interfaces pages.
Contents
Configuration and management of devices
Troubleshooting your device configuration
Management of device access
Configuring device monitoring and response ports View/edit the parameters of ports on a specific
device.
Installation Guide
95
Signature updates have new and/or modified signatures that can apply to the attacks enforced in a
chosen policy.
Policy changes update the device in case of a newly applied policy, or changes made to the current
enforced policy.
Task
1
Select Devices | <Admin Domain Name> | Devices | <NTBA Appliance> | Deploy Pending Changes.
The Deploy Pending Changes page is displayed.
View the update information. If changes have been made, the Configuration & Signature Set column is
checked by default.
Click Update.
A pop-up window displays configuration download status.
96
Installation Guide
Task
1
Click Devices | <Admin Domain Name> | Devices | <Device Name> | Maintenance | Deploy Device Software.
The Deploy Device Software page is displayed.
In case of Sensors in fail-over pair, select a Sensor under the fail-over pair name node, and then
select Upgrade.
<Device_Name> refers to name of the Sensor or NTBA Appliance.
Select the required version from the Software Ready for Installation section.
The Software Ready for Installation section lists the applicable versions of software that you downloaded
from the update server (Manage | Updating | Download Device Software).
Click Upgrade.
When a device is being updated, it continues to function using the software that was present
earlier.
Select Devices | <Admin Domain Name> | Devices | <Device Name> | Maintenance | Shut Down.
The Shut Down page is displayed.
Installation Guide
97
Task
1
Select Devices | <Admin Domain Name> | Devices | <Device Name> | Troubleshooting | Diagnostics Trace.
The <Device Name> could refer to a Sensor or an NTBA Appliance.
Click Upload.
The status appears in the Upload diagnostics Status pop-up window.
Click Close Window when the message "DOWNLOAD COMPLETE" appears. The trace file is saved to
your Manager server at:
<Install Dir> \temp \tftpin \< Device Name \trace\. Once downloaded, the file also
appears in the Uploaded Diagnostics Trace Files dialog box under this action.
[Optional] Export a diagnostics file to a client machine by selecting the file from the Uploaded
Diagnostics Files listed and clicking Export. Save this file to your client machine. Saving the file is
particularly useful if you are logged in remotely, need to perform a diagnostics trace, and send the
file to technical support.
98
Select Devices | <Admin Domain Name> | Devices | <Device_Name> | Setup | Remote Access | TACACS+.
Select Inherit from Parent Domain to use the TACACS+ settings in the parent domain.
Installation Guide
Enter the TACACS+ Server IP Address in the IP Address fields; you can enter up to four IP Addresses
for the TACACS+ server. At least one IP Address is required if you enable TACACS+.
Allocating users from domain Add available users from domain to the device.
Adding new SNMP users to the Devcie Add new users to the device.
Deleting an SNMP User Delete allocated NMS users from device or delete new users from devices.
Installation Guide
99
Select Devices | <Admin Domain Name> | Devices | <Device_Name> | Setup | Remote Access | NMS | NMS Users.
Click New.
Click Save.
The user is now added to the device and is displayed in the NMS User table.
Select Devices | <Admin Domain Name> | Devices | <Device_Name> | Setup | Remote Access | NMS | NMS Users.
Select the SNMP user created in the device from the list.
Click Edit.
Enter the Authentication Key and Private Key (confirm at Confirm AuthenticationKey and Private Key).
100
Installation Guide
Select Devices | <Admin Domain Name> | Devices | <Device_Name> | Setup | Remote Access | NMS | NMS Users.
Click Delete.
Adding new NMS IP address to the device Allocate available IP addresses from the domain.
Deleting NMS IP addresses Delete NMS IP addresses from device and domain.
Third-party NMS (SNMP over IPv6) is supported only on 8500 ports of I-series Sensors. NMS will not
work for default port 161 of I-series, M-Series and NS-Series Sensors.
Select Devices | <Admin Domain Name> | Global | Default Device Settings | Common | Remote Access | NMS |
Permitted NMS
Click New.
In IP Address, enter the NMS IP address. You can enter either IPv4 or IPv6 address.
While adding NMS IP address, you can add a maximum of 10 IPv4 addresses and 10 IPv6 addresses.
Click Save.
Installation Guide
101
Select Devices | <Admin Domain Name> | Global | Default Device Settings | Common | Remote Access | NMS | NMS
Devices.
Click Delete.
102
Installation Guide
After installing the Manager software, one of the first tasks you will perform is setting the schedule for
receiving updates from the McAfee Network Security Update Server (Update Server). These updates
include signature files for your Sensors and software for your Manager and/or Sensors.
You can only perform one download/upload at a time from any Network Security Platform component,
including the Update Server.
You can perform the following actions using the Update Server:
Downloading software updates Download the latest Sensor or NTBA Appliance software image file
from the Update Server to the Manager.
Downloading signature set updates Download the latest attack and signature information from
the Update Server to the Manager.
Automating updates Configure the frequency by which the Manager checks the Update Server for
updates, and the frequency by which Sensors and NTBA Appliances receive signature updates from
the Manager.
Manually importing a Sensor and NTBA Appliance image or signature set Manually import
downloaded Sensor or NTBA Appliance software image and signature files to the Manager.
For more information on the Update Server, see McAfee Network Security Platform Manager
Administration Guide.
Installation Guide
103
104
Installation Guide
You uninstall McAfee Network Security Manager (Manager) and McAfee Network Security Central
Manager (Central Manager) using the standard Windows Add/Remove Programs feature.
Contents
Uninstall using the Add/Remove program
Uninstall using the script
Task
1
Go to Start | Settings | Control Panel | Add/Remove Programs and select Network Security Platform.
Installation Guide
105
After uninstallation, the message All items were successfully uninstalled is displayed.
Navigate to the directory containing the uninstallation script. The default path is: <Network Security
Platform installation directory>\UninstallerData
Run
Uninstall ems.exe.
106
Installation Guide
Index
A
about this guide 7
anti-virus software 20
authenticated proxy server 92
Authenticated Proxy server 73, 74, 80
B
Browser display settings 14
C
cable specifications 53
CAC authentication 44
Central Manager
shutting down 48
client connections
closing 48
communication 57
configuration 56, 95
control panel
shutting down 49
conventions and icons used in this guide 7
D
database requirements
determine 16
MySQL 16
dedicated interface 23
dedicated server 11
desktop firewall
installing 18
device
add 74
device access
manage 98
device configuration
update 81
device configuration; troubleshooting 97
Device installation wizard 66
device license
assign 91
import 90
device licenses 63
devices
configure 65
configure; manage 95
delete 81
diagnostics trace
upload 97
documentation
audience for this guide 7
product-specific, finding 8
typographical conventions and icons 7
F
fail-closed dongle specification 54
fail-open functionality
about; fail-closed functionality 82, 90
failover pairs
manage 88
fiber-optic ports 52
functional requirements 18
I
in-line mode 96
incorrect license file import 63
installation
planning 17
pre-requisites 17
J
java installation; client systems 44
java runtime engine 15
M
Manager installation; local service account 13
Manager specifications 16
Manager uninstallation; Central Manager uninstallation 105
add/remove program 105
using script 106
Manager; Central manager
downloading executable 21
Manager; Central Manager
installation 23
shutting down 47
Installation Guide
107
Index
N
network topology 51
new SNMP users
add 99
NMS IP address; new
add 101
NMS IP addresses
delete 101
manage 101
NTP server 93
O
offline devices
export software 85, 87
software; update 86
update 85
offline download 88
offline signature set update 84
P
port pin-outs 5456
pre-installation 11
pre-requisites
installation 11
S
safety warnings 52
secondary Manager IP
add 62
remove 62
Senor
configure; CLI 69
Sensor
add 51, 68
configure 56, 58
install 51
unpack 53
Sensor box contents 53
Sensor installation wizard 66
Sensor IP; Manager IP
change 62
T
TACACS+ authentication 98
Technical Support, finding product information 8
third-party applications 12
troubleshooting 40
U
update server
configuring 103
Update Server
signature updates;updates 67
usage restrictions 52
user interface; MySQL 21
V
VirusScan; SMTP 20
VMware platform 13
108
Installation Guide
0D00